b'July 9, 2008\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nSUBJECT: Audit Report \xe2\x80\x93 Protection of Sensitive Equipment at Selected Postal\n         Service Information Technology Facilities\n         (Report Number IS-AR-08-013)\n\nThis report presents the results of our audit of sensitive equipment at selected\ninformation technology (IT) facilities (Project Number 07BD001IS003). Our objective\nwas to determine whether controls were in place to ensure the Postal Service\nadequately protected information technology equipment from accidental or intentional\nloss or damage. Specifically, we reviewed the inventories for laptop and BlackBerry\xc2\xae\ndevices assigned to employees and contractors at six IT facilities to determine if\naccountability controls adequately protected this equipment and any data stored on\nthese devices. We performed this review as part of the fiscal year (FY) 2007\ninformation systems audit of general controls at the Postal Service\xe2\x80\x99s Information\nTechnology and Accounting Service Centers (IT/ASCs). Click here to go to Appendix A\nfor additional information about this audit.\n\nConclusion\n\nIn most locations tested, the Postal Service had effective controls in place to ensure\ntheir sensitive information technology physical resources were adequately protected\nfrom accidental or intentional loss or damage. Specifically, we found controls were in\nplace for tracking inventories of sensitive computer equipment at five of the six sites\nvisited. However, management could strengthen accountability controls by ensuring\nthey make inventory staff aware of and follow all steps related to safeguarding the\ninventory of information technology assets and any data stored on those devices from\naccidental or intentional loss or damage. In addition, management could improve the\ndata integrity in the Xxxxx Xxxxxxxxx Xxxxxxxxxx Xxxxxx (XXXX) by periodically\nreconciling the data.\n\x0cProtection of Sensitive Equipment at Selected                                                              IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\nLaptop Computer Inventories\n\nOut of our audit sample of 235 devices, we could not locate 301 of 107 laptops from\nheadquarters,2 thus, we projected an inability to locate 836 of 2,982 laptops from the\nheadquarters offices. Additionally, we were unable to locate three of 54 laptops from\nthe Xxxxxxx Information Technology Service Center (ITSC) and one laptop of 11 from\nthe Xxx Xxxxx IT/ASC. At the three remaining IT facilities, we located all laptops\nidentified in our sample. This occurred because inventory staff3 did not always follow,\nor were not aware of, policies,4 procedures,5 and processes for documenting and\ncertifying inventory results and recording the information in XXXX.\n\nWe quantified the risk associated with 8366 missing headquarters laptops and the\npotentially compromised laptop data. The total projected estimate associated with\nthese laptops was $1,901,900. We based this figure xx x xxxxxxxxxxx xxxx xx xxxxxx7\nxxx xxxx xxxxxx, xxxxxxxx xxxxxxxxxx xx xxxxxxxx xxxxxx xx xxxx. Additionally, we\nused a conservative estimate of 10 records on each laptop and the associated cost of a\npotential data breach at $83 per record to calculate a potential cost of data disclosure of\n$693,880. (Click here to go to Appendix C for details of the calculation.) These laptops\nand potential data disclosure could affect customer trust in the Postal Service brand.\nWe will report $1,901,900 of non-monetary impact for physical assets at risk,\nsafeguarding data, and goodwill branding in our Semiannual Report to Congress. Click\nhere to go to Appendix B for our detailed analysis of this topic.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nmanagers at the Xxxxx, Xxxxxxxxx; Xxx Xxxxx, Xxxxxxxxxx; Xx. Xxxxx, Xxxxxxxx;\nXxxxxx-Xxxxx, Xxxxxxxxxxxx; xxx Xxxxxxx, Xxxxx Xxxxxxxx Information Technology\nfacilities; and the Headquarters Computing Infrastructure Services to:\n\n1. Ensure Material Accountability Officers and Assistants are aware of and follow all\n   policies and procedures for inventory control of sensitive equipment including report\n   certification by their functional managers.\n\n\n\n\n1\n  We completed our inventory work as of July 5, 2007, and 40 laptops were not located. Since that time,\nheadquarters staff performed additional research and as of June 10, 2008, located 10 of the laptops.\n2\n  The headquarters category within the XXXX includes the offices located at L\xe2\x80\x99Enfant Plaza, the William F. Bolger\nCenter for Leadership Development located in Potomac, Maryland, offices located in Merrifield and Arlington,\nVirginia, and headquarters staff located at field sites across the nation serving in a headquarters-related job function.\n3\n  Postal Service policy gives primary responsibility of physical inventory and reconciliation of sensitive property\nrecords to the Material Accountability Officer and optional Material Accountability Assistant.\n4\n  Handbook AS-701, Material Management, June 2005 (updated with Postal Bulletin revisions through November 9,\n2006), Chapter 5 \xe2\x80\x93 Asset Accountability and Chapter 6 \xe2\x80\x93 Asset Recovery, Redistribution, Recycling, and Disposal;\nHandbook AS-805, Information Security, March 2002 (updated with Postal Bulletin revisions through November 23,\n2006), Chapter 7 \xe2\x80\x93 Physical and Environmental Security.\n5\n  IT Facilities Inventory Processes & Procedures Document, Version 9, December 4, 2006.\n6\n  We did not include the four laptops we could not locate at the other IT locations in our projections because they\nwere not statistically significant.\n7\n  Xxx Xxxxxxx-Xxxxxxx XXXXX XX xxxxxxxx xxxxxxxx x xxxx xxxxx xx xxxxxx xxx xxxxxxxx xxxxxxxxx.\n\n                                                            2\n\x0cProtection of Sensitive Equipment at Selected                                                            IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\nBlackBerry Device Inventories\n\nWe sampled 208 of 1,909 BlackBerry devices assigned to employees and contractors at\nthe six IT facilities. We located all BlackBerry devices in our sample, verifying that the\nPostal Service had effective controls in place to ensure management adequately\nprotected BlackBerry devices from accidental or intentional loss or damage.\n\nXxxxx Xxxxxxxxx Xxxxxxxxxx Xxxxxx Xxxx\n\n\nxxxx did not always reflect the current custodian, location, or status of the Postal\nService\xe2\x80\x99s sensitive laptop and BlackBerry device inventory. From a random sample of\nthese sensitive equipment records, we projected that 24 percent of the laptop and\nalmost 40 percent of the BlackBerry device records would contain at least one\ndiscrepancy.8 Although mandated by Postal Service policies9 and procedures,10 some\ninventory staff did not reconcile the physical inventories with XXXX. Additionally, the\nautomated interface between the databases feeding laptop and BlackBerry device data\nto XXXX has transmitted incorrect historical data. During our search for these devices,\nwe identified cases where one or more of the 19 databases feeding XXXX contributed\nto perpetuated data record errors and, in at least one instance, a manual override could\nnot correct the error. An accurate XXXX inventory helps ensure the ability to locate all\nsensitive laptop and BlackBerry equipment. Click here to go to Appendix B for our\ndetailed analysis of this topic.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nmanagers at the Xxxxx, Xxxxxxxxx; Xxx Xxxxx, Xxxxxxxxxx; Xx. Xxxxx, Xxxxxxxx;\nXxxxxx-Xxxxx, Xxxxxxxxxxxx; xxx Xxxxxxx, Xxxxx Xxxxxxxx information technology\nfacilities; and the Headquarters Computing Infrastructure Services to:\n\n2. Conduct quarterly comprehensive reconciliations of the Xxxxx Xxxxxxxxx\n   Xxxxxxxxxx Xxxxxx to resolve discrepancies for sensitive equipment.\n\n3. Develop a procedure to require individuals to semiannually validate and report\n   inventory results for laptops, BlackBerry devices, or other sensitive equipment in\n   their possession.\n\n4. Establish a plan with milestones to correct data interface issues to promote data\n   accuracy in the Xxxxx Xxxxxxxxx Xxxxxxxxxx Xxxxxx.\n\n\n\n\n8\n  We classified a record as a discrepancy when the actual custodian, equipment status (active vs. retired), or location\ndiffered from the data element recorded in the XXXX..\n9\n  See footnote 4.\n10\n   See footnote 5.\n\n\n\n\n                                                           3\n\x0cProtection of Sensitive Equipment at Selected                                  IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with all four recommendations. Regarding recommendation 1,\nmanagement stated Information Technology (IT) facility managers will review applicable\npolicies with responsible personnel each year. The managers will emphasize that the\nactual custodian, equipment status, and equipment location must be accurate for\nsensitive equipment. At individual facilities, responsible personnel will provide signed\nverification that they reviewed, understood, and will comply with applicable policies. In\naddition, each IT facility will audit a sampling of both the quarterly sensitive\nreconciliation and semiannual individual sensitive equipment validation performed by\nthe responsible personnel to ensure compliance with applicable policies. Each IT\nfacility manager will provide report certification that the audit samples reviewed are in\ncompliance. Management will complete their corrective action by August 29, 2008.\n\nFor recommendation 2, management stated all IT facilities would conduct quarterly\nreconciliations with XXXX starting by December 31, 2008, to resolve discrepancies for\nsensitive equipment allocated to employees. Each quarterly review will include an\naudited sample and the facility manager will certify that samples comply with\nprocedures.\n\nIn conjunction with recommendation 3, management will develop a process by\nSeptember 30, 2008, to require individuals to semiannually validate and report sensitive\nequipment in their possession. They will complete the initial semiannual validation by\nMarch 31, 2009. Management also stated that they have controls in place for\nassignment of sensitive equipment and they plan to implement encryption on 4,600\nlaptops by the end of this fiscal year.\n\nRegarding recommendation 4, management stated that enhanced tracking procedures\nare in place to verify receipt of shipped equipment, report new equipment installations in\na weekly status report to upper management, and ensure the equipment remains active\non the network. Management stated that implementing recommendations 1-3 would\ncorrect the manual or automated feeds causing some situations of incorrect data within\nthe XXXX. They also stated that responsible personnel will correct equipment status\ninformation and ensure they enter cancellation requests into xXxxxxx for equipment no\nlonger needed. Finally, management will review current data feeds to the XXXX and\ncorrect data interface issues by June 30, 2009.\n\nWe received additional information subsequent to the receipt of written comments.\nManagement provided a list of milestones and related completion dates and informed\nus that they planned to complete all activities by June 30, 2009, rather than September\n30, 2009, as originally reported. They also stated that they agreed with the non-\nmonetary impact described in the report. Click here to go to Appendix D to view\nmanagement\xe2\x80\x99s comments.\n\n\n\n\n                                                    4\n\x0cProtection of Sensitive Equipment at Selected                               IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations, and their corrective actions should\nresolve the issues identified in the report.\n\nThe OIG considers recommendation 1 significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. This recommendation should not be closed in the\nfollow-up tracking system until the OIG provides written confirmation that the\nrecommendation can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Gary C. Rippie, Director,\nInformation Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\nfor Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    Harold E. Stark\n    Deborah J. Judy\n    John P. Byrne\n    Joseph G. Gabris\n    Michael E Goldman\n    Terrance P. Moran\n    G. Dean Larrabee\n    Emily M. Andrew\n    Katherine S. Banks\n\n\n\n\n                                                    5\n\x0cProtection of Sensitive Equipment at Selected                                   IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n                         APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe XXXX is the official central repository for tracking all IT assets. The system\nautomates the collection of data about most IT assets such as workstations, laptops,\nand servers. XXXX allows users to query the asset database using a variety of search\nmethods to review, analyze, and maintain networked and non-networked asset\ninventory, as their assigned authority level allows. The major ongoing tasks of XXXX\nare to:\n\n    \xe2\x80\xa2   Provide a common, web-accessible view of all computing devices in the Postal\n        Service.\n\n    \xe2\x80\xa2   Ensure management, data owners, and device owners have the necessary\n        information to make informed decisions.\n\n    \xe2\x80\xa2   Ensure the consolidated information can interface with other systems, reducing\n        data redundancy.\n\n    \xe2\x80\xa2   Continue to develop methods to ensure data accuracy.\n\n    \xe2\x80\xa2   Continue to discover data sources that will give a broader picture of the Postal\n        Computing Environment.\n\nXXXX categorizes both headquarters and headquarters-related offices in the\nWashington, D.C. metropolitan area as \xe2\x80\x9cheadquarters\xe2\x80\x9d for generating reports. Reports\ngenerated for this category include inventory for offices located at L\xe2\x80\x99Enfant Plaza, the\nVirginia offices of Merrifield and Arlington, and the William F. Bolger Center for\nLeadership Development in Potomac, Maryland. Additionally, reports include inventory\nfor Postal Service staff assigned to headquarters-related job functions at numerous field\nsites across the nation.\n\nXXXX receives automated data feeds from 19 databases and a number of manual\nsources to assist in maintaining an accurate inventory of workstation and portable\nequipment, including laptop computers and BlackBerry devices. The chart below\ndepicts those automated and manual sources.\n\n\n\n\n                                                    6\n\x0cProtection of Sensitive Equipment at Selected             IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\n\n                                               Redacted\n\n\n\n\n                                               Redacted\n\n\n\n\n                                                    7\n\x0cProtection of Sensitive Equipment at Selected                                                IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\nIn July 2006, the Postal Service began an initiative in response to a presidential\ndirective to improve data security related to breaches of sensitive information. To\nsupport this effort, the IT Corporate Information Security Office (CISO) and the Privacy\nOffice jointly developed user procedures for reporting equipment loss and security\nbreaches of Postal Service computing equipment, including laptop computers,\nBlackBerry devices, and other portable equipment. The Privacy Office included factual\ncase studies in its online privacy training program, focusing on specific principles and a\nvariety of data breaches that impacted well-known companies. Both organizations also\nissued a series of online articles in the USPS News Link beginning in April 2007,\nemphasizing mobile device security, including encrypting sensitive data. Additionally,\nthe CISO placed a policy on its new IT website11 requiring that all laptops implement\nhard disk encryption.\n\nAfter completion of our fieldwork, the reporting structure changed for Information\nTechnology. Previously, Information Technology reported to the Vice President, Chief\nTechnology Officer, who reported to Executive Vice President, Chief Financial Officer.\nAs of February 25, 2008, Information Technology now reports through the Executive\nVice President, Chief Information Officer, to the Postmaster General.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether controls were in place to ensure the Postal\nService adequately protected sensitive Postal Service information technology\nequipment from accidental or intentional loss or damage. Specifically, we reviewed the\ninventories for laptop and BlackBerry devices assigned to employees and contractors at\nsix IT facilities to determine if accountability controls adequately protected this\nequipment and any data stored on these devices. We performed this review as part of\nthe FY 2007 information systems audit of general controls at the Postal Service\xe2\x80\x99s\nIT/ASCs.\n\nWe limited the scope of our review to a stratified sample of laptops and BlackBerry\ndevices identified in XXXX as located at the Xxxxx, Xxxxxxxxx; Xxx Xxxxx, Xxxxxxxxxx;\nxxx Xx. Xxxxx, Xxxxxxxx IT/ASCs; the ITSC in Xxxxxxx, Xxxxx Xxxxxxxx; Postal\nService Headquarters in Washington, D.C.; and the Integrated Business Systems\nService Center in Xxxxxx-Xxxxx, Xxxxxxxxxxxx.\n\nTo meet our objective, we obtained inventory data for laptops and BlackBerry devices\nfrom the XXXX database for the sites in our sample. We used the \xe2\x80\x9cCustom Query\xe2\x80\x9d\nreport in XXXX to identify the universe of laptops and BlackBerry devices. We used\nmanual and automated techniques to separate the laptop records from the other types\nof computer equipment records. We worked with inventory support staff for XXXX at\nthe Xxxxxxx ITSC to confirm that we had properly selected XXXX records for sampling.\nWe also interviewed inventory staff to determine the process they used to address\n\n11\n  Xxx xxx XX xxxxxxx xx xxxxxxx xx <xxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>. Xxxxxxxxx XX xxxxxxxxxxx\nxxxx xxxxxxx xx xxxxx xxxx.\n\n                                                    8\n\x0cProtection of Sensitive Equipment at Selected                                                       IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\ndamaged laptops. Specifically, we drew a statistically valid stratified random sample for\neach location. The audit universe consisted of 4,139 laptops and 1,909 BlackBerry\ndevices assigned to the headquarters, Xxxxxxx, Xxxxx, Xxx Xxxxx, Xx. Xxxxx, xxx\nXxxxxx-Xxxxx IT facilities. The audit team obtained the universe information from the\nJanuary 2007 XXXX database.\n\nUsing the sample results, we projected the number of laptops that could not be located\nand the number of laptop and BlackBerry devices that were located but had\ndiscrepancies associated with the XXXX record. We classified a record as a\ndiscrepancy when the actual custodian, equipment status (active versus retired), or\nlocation differed from the data element recorded in XXXX. Additionally, we reviewed\ndocuments regarding physical security policies and practices and interviewed key\nPostal Service managers about current inventory practices.\n\nWe conducted this performance audit from January through September 2007 and\nMarch through July 200812 in accordance with generally accepted government auditing\nstandards and included such tests of internal controls as we considered necessary\nunder the circumstances. Those standards require that we plan and perform the audit\nto obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objective. We believe the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjective. Even though some data in our sample records were incomplete or\ninaccurate, XXXX is the only comprehensive database available for the IT facilities that\nwe visited; therefore, we found this system sufficiently reliable for selecting our samples.\nWe discussed our observations and conclusions with management officials during the\naudit and on June 5, 2008, and included their comments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\nIn July 2005, the U.S. Postal Service Office of Inspector General reported13 two issues\nrelated to managing sensitive equipment. The Xxx Xxxxx xxx Xx. Xxxxx IT/ASCs relied\non local procedures to manage capital and sensitive equipment, which were\ninconsistent with corporate-wide policy. Additionally, some capital and sensitive\nequipment either could not be located, had been moved, or was improperly documented\nin the locally managed equipment databases. We recommended that managers at the\nXxxxx, Xxx Xxxxx, xxx Xx. Xxxxx data centers complete local implementation of XXXX\nwithin 90 days of report issuance. Management agreed with the recommendation and\nimplemented XXXX at all three sites in December 2005.\n\n\n\n\n12\n  We did not work on this audit from October 2007 through February 2008 due to the unavailability of resources.\n13\n  Physical Security Controls at the Xxxxx, Xxxxxxxxx; Xxx Xxxxx, Xxxxxxxxxx; xxx Xx. Xxxxx, Xxxxxxxx Information\nTechnology and Accounting Service Centers (Report Number IS-AR-05-012, dated July 26, 2005).\n\n                                                        9\n\x0cProtection of Sensitive Equipment at Selected                                                           IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n                                 APPENDIX B: DETAILED ANALYSIS\n\nLaptop Computer Inventories\n\nBased on a random sample of laptop computer records from XXXX, we could not locate\n30 laptops14 from headquarters, three from the Xxxxxxx ITSC, and one from the Xxx\nXxxxx IT/ASC. Using these tests, we calculated the overall results displayed in Table 1.\nBased on our sampling, we projected an inability to locate 836 laptops from the\nheadquarters offices. Using a replacement cost of xxxxxx xxxx xxx xxx xxx xxxxxxx, xx\nxxxxxxxxx x xxx-xxxxxxxx xxxxxx xx xxxxxxxxxx15 for physical assets at risk.\nAdditionally, the non-monetary impact associated with cost of a potential data breach\nconservatively computed to $693,880 for the 836 laptops. Click here to go to Appendix\nC for details of our calculation for the non-monetary impact associated with potential\ndata breaches.\n\n                      Table 1: Results of Laptop Equipment Inventory Review\n                                           Statistical                     Projected\n                                            Sample         Items Not       Items Not        Percent of Not\n          Location          Universe          Size           Found           Found             Found\n    Headquarters             2,982            107              30               836            28.0\n    All Other Sites          1,157            128               4(1)              36            3.1(1)\n    Total                    4,139            235              34               872            21.1(2)\n1\n  The four laptops we could not locate at the other IT facilities were not statistically significant.\n2\n  We based the totals for projected items not found and percent not found on the overall point estimate of the\nstatistical sample.\n\nInventory staff16 at five of the six IT facilities all confirmed they were using a common\nset of procedures,17 which included using PS Form 7340-B, Property Transfer Request\nWorksheet; PS Form 2880, Physical Inventory Certification/Adjustments; and PS Form\n969, Material Recycling and Disposal, for managing inventory for sensitive equipment.\n\nThis situation occurred at headquarters because inventory staff did not always follow, or\nwere not always aware of, policies,18 procedures,19 and processes for accurately\nrecording key data such as custodian and location; sending or retaining documentation\nregarding disposal of computer laptops; and reconciling the results of the physical\ninventories of laptop equipment with XXXX. Additionally, the functional manager in\ncharge of the inventory staff had not certified the correctness of inventories performed.\n\nDuring the review, we also confirmed the Postal Service did not have an enterprise-wide\nsolution implemented to encrypt laptop computers during our audit fieldwork period of\nJanuary through September 2007. Therefore, there is a potential that sensitive data\ncontained on laptops we could not locate is vulnerable to data breach.\n14\n   We attempted to identify the job functions of the last known custodians for the laptops we could not locate. These\nincluded managers, miscellaneous staff positions, and several individuals who are no longer with the Postal Service.\n15\n   Xx xxxxxxxxxx xxx xxxxxxx xx xxxxxx xxxx xxx x xxxxx xx xxxxxxxxxx (xxx xxxxxxxxxx xx xxxxx).\n16\n   See footnote 3.\n17\n   See footnote 5.\n18\n   See footnote 4.\n19\n   See footnote 5.\n\n                                                          10\n\x0cProtection of Sensitive Equipment at Selected                                                        IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\nCorrective Actions Taken\n\nManagement has begun a project designed to enhance laptop accountability. The\nLaptop/Mobile Media Project:20\n\n\xe2\x80\xa2   Requires the employee to complete a handwritten PS Form 1357-D, Data\n    Accountability, and include serial number, make or model, and manufacturer.\n\n\xe2\x80\xa2   Requires an Executive Administrative Service or Postal Career Executive Service\n    manager\xe2\x80\x99s signature.\n\n\xe2\x80\xa2   Makes the employee personally responsible for the equipment and acknowledges\n    the employee will abide by security practices, including travel procedures, using\n    encryption technology and procedures to report lost or stolen equipment.\n\n\xe2\x80\xa2   Requires the employee to request access in the xXxxxxx test environment, including\n    a step where the user uploads an automated copy of the signed document.\n\nAdditionally, Corporate IT began implementing their encryption program, which will\nmitigate the risk associated with sensitive data stored on equipment. They will transmit\nencryption software directly to compatible laptops using the Systems Management\nServer system. Management plans to implement encryption on approximately 4,600\nlaptops by the end of the fiscal year.\n\nXxxxx xxxxxxxxx Xxxxxxxxxx Xxxxxx Xxxx\n\nXXXX data did not always reflect the current custodian, location, or status of the Postal\nService\xe2\x80\x99s sensitive laptop and BlackBerry device inventory. From a random sample of\nlaptops and BlackBerry devices, we projected that 24 percent of the laptop and 40\npercent of the BlackBerry records would contain at least one discrepancy.21 We listed\noverall results in the tables below. We also projected that 20.6 percent of the laptop\nand 43.9 percent of the BlackBerry records for headquarters and 32 percent of the\nlaptop and 22.5 percent of the BlackBerry records for all other IT/ASC sites would have\nat least one discrepancy in Xxxx.\n\nAs demonstrated in Table 2, based on our projections, 24 percent of the laptop records\n(984 of 4,139) would contain at least one discrepancy.\n\n\n\n\n20\n   The project began April 25, 2008, at headquarters and a limited number of field groups, but management has not\nestablished a date when all users will follow these new procedures.\n21\n   See footnote 8.\n\n                                                        11\n\x0cProtection of Sensitive Equipment at Selected                                                  IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n                     Table 2: Results of XXXX Data Review for Laptops\n                                     Statistical     Number of         Projected         Percentage of\n     Location        Universe       Sample Size    Record Errors Record Errors           Record Errors\n  Headquarters          2,982          107              22                 613                20.6\n  All Other Sites       1,157          128              41                 371                32.0\n  Total                 4,139          235              63                 984                23.8(1)\n1\n  We based the totals for projected items not found and percentage of records in error on the overall point\nestimate of the statistical sample.\n\nAs demonstrated in Table 3, based on our projections, almost 40 percent of BlackBerry\nrecords (754 of 1,909) would contain at least one discrepancy.\n\n             Table 3: Results of XXXX Data Review for BlackBerry Devices\n                                     Statistical     Number of         Projected         Percentage of\n     Location        Universe       Sample Size    Record Errors Record Errors           Record Errors\n  Headquarters          1,518            57             25                 666                43.9\n  All Other Sites         391          151              34                  88                22.5\n  Total                 1,909          208              59                 754                39.5(1)\n1\n  We based the totals for projected items not found and percentage of records in error on the overall point\nestimate of the statistical sample.\n\nDuring our search for these devices, we identified cases where one or more of the 19\ndatabases feeding XXXX contributed to or perpetuated data record errors and, in at\nleast one instance, a manual override could not correct the error. For example, during\nour review of the sensitive equipment inventory at the Xxx Xxxxx IT/ASC, neither we nor\nthe inventory staff could locate one laptop. We identified automated and manual feeds\nthat affected data elements of custodian, status, or location.22 The inventory staff\nconfirmed that all three data elements for the laptop record were incorrect. Since we\ncould not locate the laptop, the inventory staff initiated procedures to submit a\n\xe2\x80\x9cLost/Theft\xe2\x80\x9d report and PS Form 2880, Physical Inventory Certification - Adjustments.\n\nWhile we confirmed the existence of a collection of headquarters laptops, we had to rely\non a fragmented process involving the equipment\xe2\x80\x99s \xe2\x80\x9cConfiguration\xe2\x80\x9d and \xe2\x80\x9cLast User\nLogon ID\xe2\x80\x9d in XXXX. With these data elements and a discussion with a network systems\nanalyst, we determined five laptops did not belong to a permanent custodian but to\nusers training at the William F. Bolger Center for Leadership Development. By\nidentifying these laptops as associated with the Bolger Center, it would make future\ninventory efforts more efficient and alleviate concerns that they were lost or stolen. In\nanother case, we confirmed the existence of a laptop, but only after going through a\nlengthy process to ascertain that XXXX had duplicate records for the laptop. We\ndetermined that a manual override in XXXX would not correct the problem until repair\n\n\n\n\n22\n  Xxxxx xxxxxxxxx xxxxx xxxx xxxx xxx Xxxxxxxxx\xc2\xae Xxxxxxx Xxxxxxxxxx Xxxxxx xxxxxxxxxxxxxx xxxxxxxx, Xxxxxx\nXxxxxxxxx, xxx xxx Xxxxxxxxxx Xxxxxxxx. Xxx xxxxxxxx xxxxxx xx XXXX xxxx \xe2\x80\x9cXxxxxxxxx/Xxxx,\xe2\x80\x9d \xe2\x80\x9cXxxx Xxxx Xxxxx\nXX,\xe2\x80\x9d \xe2\x80\x9cXxxxxx,\xe2\x80\x9d \xe2\x80\x9cXxxxxxx x (Xxxxxx),\xe2\x80\x9d \xe2\x80\x9cXxxxxxxx Xxxx,\xe2\x80\x9d xxx \xe2\x80\x9cXxxxxxxx Xxxxxxxx XX.\xe2\x80\x9d\n\n                                                    12\n\x0cProtection of Sensitive Equipment at Selected                                                          IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\ntechnicians ran a utility disk on the laptop\xe2\x80\x99s Basic Input/Output System (BIOS)23 to\nrecognize a new hard drive they had installed.\n\nCorrective Actions Taken\n\nDuring our audit, management also made changes to correct problems occurring with\ntwo XXXX interfaces. During February 2008, management completed changes, which\ncorrected a problem with the interface between XXXX and the PS Form 969, Material\nRecycling and Disposal, web application (969 system). The migration of the 969\nsystem from older to newer computer equipment caused the interface between the\nsystems to fail. The corrected interface allows the data entered in the 969 system\ninterface to reconcile with XXXX data. Additionally, from November 19 to December 24,\n2007, management reviewed and corrected an automated interface between XXXX and\nthe BlackBerry Enterprise Server. This effort fixed incorrectly recorded BlackBerry\ndevice data in XXXX.\n\n\n\n\n23\n   BIOS refers to the firmware code run by an International Business Machines Personal Computer (PC) when first\npowered on. The primary function of the BIOS is to identify and initiate component hardware (such as hard disk,\nfloppy, and optical disk drives). This is to prepare the machine so other software programs stored on various media\ncan load, execute, and assume control of the PC.\n\n                                                         13\n\x0cProtection of Sensitive Equipment at Selected                                                           IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n         APPENDIX C: ESTIMATED COST OF A SENSITIVE DATA COMPROMISE\n\nThe following describes the methodology we used to calculate non-monetary impact for\nsafeguarding assets associated with potential data breaches involving 836 laptops.\n\nWe used the Ponemon Institute\xe2\x80\x99s November 2007 study24 as a benchmark to identify\nthe cost of a data breach. The Ponemon Institute classified the total cost of $198 per\nrecord using detection and escalation costs of $9, notification costs of $15, ex-post\nresponse costs of $46, and lost business costs of $128, as displayed in the table below.\n\n                                                      Costs per Record as                      Amount\n                 Cost Category                       Reported by Ponemon                   Applicable to the\n                                                           Institute                        Postal Service\n         Detection and Escalation\n     Internal Investigation, Legal, Audit, and\n                                                                    $9                                $9\n     Consulting\n         Notification\n     Letters, Emails, Telephone, Published\n                                                                     15                                15\n     Media, and Website\n         Ex-Post Response\n     Mail, Email, Telephone (to Internal Call\n     Center), Telephone (to Outsourced Call\n     Center), Legal Defense, Criminal\n                                                                     46                                46\n     Investigations (forensics), Public or\n     Investor Relations, Free or Discounted\n     Services\n         Lost Business\n     Cost of Turnover, Cost of Fewer New\n                                                                    128                                1325\n     Customers\n\n                                         Total                    $198                               $83\n\nXxx Xxxxxx Xxxxxxx xxxxxxxx xxxxx xx xxxxx xxxxxx xx xxxxxxx xxxxxxxxx xxxx\nxxxxxxxxx xxxx xxxxxxx Xxxxxxxx xxxx, xxx xxxxx xxxxxxxxx xxxxxxxxx xxxxxxxxx xxx\nxxxxxxxxxx xxxxxxxxxxxx xxxxxxxxxxx. The number of records stored on the seven\nstolen computers ranged from four to 40,000, so we based our calculation on a\nconservative 10 records per laptop. We calculated a total non-monetary impact of\n$693,880 based on $83.00 per record for the projected 836 laptops (10 records each)\nwhich we could not locate at the headquarters offices.\n\n\n\n24\n   Ponemon Institute, LLC, 2007 Annual Study: U.S. Cost of a Data Breach, dated November 2007, page 9.\n25\n   The $128 estimated cost per record listed by the Ponemon Institute in the Lost Business category does not\nrepresent a reasonable estimate for the Postal Service. We believe Postal Service customers have few alternatives\nin the market for delivery of letters and packages at comparable, competitive rates so we estimate the actual loss of\nbusiness would be much less. Therefore, we elected to reduce the lost business estimate of $128 by 90 percent\n(from $128 to $13).\n\n                                                          14\n\x0cProtection of Sensitive Equipment at Selected               IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n                        APPENDIX D. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                    15\n\x0cProtection of Sensitive Equipment at Selected            IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\n\n                                                    16\n\x0cProtection of Sensitive Equipment at Selected            IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\n\n                                                    17\n\x0cProtection of Sensitive Equipment at Selected            IS-AR-08-013\n Postal Service Information Technology Facilities\n\n\n\n\n                                                    18\n\x0c'